Re: problems with KB951746

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


HOW are you bypassing
ISA during these tests?

Browsing from the server directly through the external NIC.

And secondly, you mentioned you cannot call CSS because you cannot have
the fix installed in production....so how have you done the testing you've
already done at the level of detail you've indicated?

I did a lot of testing in the weeks just after the patch came out and before
I realized that it was the source of my problem.

-Cliff

"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:uFkR2u6$IHA.5660@xxxxxxxxxxxxxxxxxxxxxxx


--

GaryK


You originally posted this a couple weeks ago as a different thread.
"Attn: Susan Bradley" or somesuch. As I recall, it was ONE SBS server
and as of the end of the week last week, you had decided to contact
Microsoft CSS. So, my questions are:

1) What did CSS say?

I tried 800-PCSAFETY, but that's really consumer oriented, and they
weren't much help. I haven't called CSS. There's no real point because I
can't have the fix in place during production--the internet is
practically unusable--and there are no symptoms outside of production for
CSS to troubleshoot.

2) Did you make changes to the other three servers within the last week?
I'm trying to pinpoint why the problem has spread...

No changes. The problem hasn't spread--only my awareness of it. One of
them was having DSL problems, and I attributed the Inet slowdown to that.
But as soon as the DSL troubles were cleared up, it became obvious they
were having the same problem. On another one the office was closed for a
couple of weeks--clients attending a convention--so again there was no
load on the system and no obvious symptoms. The fourth is a small office
full of really sweet people who didn't want to bother me about the slow
internet response times.


3) Do any of the four servers run *without* ISA? I'd like to
troubleshoot on a network as 'clean' as possible...

Sadly, no. But I can bypass ISA and reproduce the problem.

4) Do all four servers connect to the internet using the same ISP?

No.

I appreciate your focusing on this.

GaryK



"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:ug9WDl0$IHA.1180@xxxxxxxxxxxxxxxxxxxxxxx
Agreed. But in this case it's moot. The issue persists even if both
firewalls are bypassed.

--

GaryK


"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:hIadnXIUU8UcpjvVnZ2dnUVZ_j6dnZ2d@xxxxxxxxxxxxxx
Depends on how aggressive the firewall is with its intrusion
prevention measures. Blocking legitimate IP addresses responding on
ports the firewall doesn't expect will cause problems. And three or
more people using the net will cause the firewall to block IPs more
rapidly. Never *assume* that the problem isn't somewhere. Test and
verify...test and verify... :)

-Cliff

"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:u7%23gyc0$IHA.3756@xxxxxxxxxxxxxxxxxxxxxxx
Also, if this were a firewall issue, I think it would be there all
the time, not just when the system is under load.

--

GaryK


"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:I5OdnRWuYKkGijvVnZ2dnUVZ_uqdnZ2d@xxxxxxxxxxxxxx
Gary,

I doubt the patch, or SBS, is the problem here. What I suspect is
happening is that the patch is doing what it is supposed to do. But
one of the things the patch does is cause the source port to be
randomized. If your firewall is not configured to allow DNS traffic
from a random source port then your recursive DNS requests are being
stopped at the firewall...and you'll get the symptoms you describe.
It is also possible, but less likely, that your ISP's DNS servers
are misconfigured and are unable to reply on odd source ports.

So this is where I'd start....look at your network perimeter and see
if you can verify there is a firewall issue.
Then, if you are CONFIDENT that you are okay there and the speed
issue remains, reconfigure SBS (CEICW) and point it to another DNS
server that is known to be patched and working (openDNS is a good
option here).

Let me know if that helps,

-Cliff

I'm fairly confident you'll be able to fix the issue from there.
"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:%236rvj2y$IHA.5660@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I can't decide how to proceed with getting this problem solved.
Wien the server-side DNS-vulnerability patch (951746) is installed,
all my SBS2K3 systems are exhibiting the same problem: extremely
show internet access when the system is under load, meaning when
three or more clients are trying to access the internet at once.

With the patch uninstalled everything returns to normal. This is
not resolved by reserving ports as one fix suggests.

The problem seems to be that DNS can't resolve quickly when the
patch is installed. Sometimes it is so slow that the system times
out. I've tried different forwarders, different DNS servers, and
root hints only. If the patch is installed, nothing helps.

Someone has posted a message about this in the SBS private forum,
but he isn't getting much help.

My indecision stems from the fact that no symptoms show if there is
no load, so if I call CSS after hours I can't show them any
symptoms, and I don't want to load the patch during a work day
because access is so slow that client work slows to a virtual
standstill, the remote branches connections to Exchange server stop
responding, and local clients can't do any work that involves the
internet.

I think I'm just going to have to live with this and hope that MS
comes up with a fix for someone else and I hear about it.

Maybe someone here can suggest an approach, because I'm stumped as
to how to proceed.

--

GaryK















.

Relevant Pages

  • Re: problems with KB951746
    ... Then, if you are CONFIDENT that you are okay there and the speed issue remains, reconfigure SBS and point it to another DNS server that is known to be patched and working. ... Wien the server-side DNS-vulnerability patch is installed, all my SBS2K3 systems are exhibiting the same problem: extremely show internet access when the system is under load, meaning when three or more clients are trying to access the internet at once. ... My indecision stems from the fact that no symptoms show if there is no load, so if I call CSS after hours I can't show them any symptoms, and I don't want to load the patch during a work day because access is so slow that client work slows to a virtual standstill, the remote branches connections to Exchange server stop responding, and local clients can't do any work that involves the internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Immediate Logoff
    ... What I am saying is that there is no magic button that MSFT can push to fix the problem unless you can give them some information, ... Microsoft MVP - Terminal Server ... however think it is ironic how it happened from a patch. ... Do you know where I can report this to Microsoft for free? ...
    (microsoft.public.windows.terminal_services)
  • Re: DNS Activity - Strange or Not?
    ... > dns lookups either). ... > thought someone might be trying to relay mail through my mail server, ... > my 512k connection has gone down to averaging less than 1k/sec ... FIRST MAKE IT STOP, THEN FIX IT. ...
    (comp.os.linux.security)
  • Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
    ... The DNS exploit was BIG. ... If they could've done a patch like 2008, ... If you have to contact 10 vendors to get ports for your SBS box then you are ... If the server is restarting without you already being awake and being the ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN from home DNS resolution issues
    ... >> fix it. ... >> it could not resolve the server name. ... >> Now that sparked something in my head thinking that it was a DNS ... >> I added the server and IP address in the hosts file and that finally ...
    (microsoft.public.win2000.dns)